diff --git a/bbs/ajax.write.token.php b/bbs/ajax.write.token.php new file mode 100644 index 000000000..bc7b41dcc --- /dev/null +++ b/bbs/ajax.write.token.php @@ -0,0 +1,11 @@ +'', 'token'=>$token, 'url'=>''))); +} \ No newline at end of file diff --git a/bbs/qadelete.php b/bbs/qadelete.php index fa6036f9e..2ac1b2e97 100644 --- a/bbs/qadelete.php +++ b/bbs/qadelete.php @@ -4,11 +4,13 @@ include_once('./_common.php'); if($is_guest) alert('회원이시라면 로그인 후 이용해 주십시오.', G5_URL); +$token = isset($_REQUEST['token']) ? $_REQUEST['token'] : ''; + $delete_token = get_session('ss_qa_delete_token'); set_session('ss_qa_delete_token', ''); -//관리자가 아닌경우에는 토큰을 검사합니다. -if (!$is_admin && !($token && $delete_token == $token)) +//모든 회원의 토큰을 검사합니다. +if (!($token && $delete_token === $token)) alert('토큰 에러로 삭제 불가합니다.'); $tmp_array = array(); diff --git a/bbs/qalist.php b/bbs/qalist.php index 6b8da8cfb..08fd0b175 100644 --- a/bbs/qalist.php +++ b/bbs/qalist.php @@ -6,6 +6,12 @@ if($is_guest) $qaconfig = get_qa_config(); +$token = ''; +if( $is_admin ){ + $token = _token(); + set_session('ss_qa_delete_token', $token); +} + $g5['title'] = $qaconfig['qa_title']; include_once('./qahead.php'); @@ -13,6 +19,7 @@ $skin_file = $qa_skin_path.'/list.skin.php'; $is_auth = $is_admin ? true : false; $category_option = ''; + if ($qaconfig['qa_category']) { $category_href = G5_BBS_URL.'/qalist.php'; diff --git a/bbs/qaview.php b/bbs/qaview.php index 7ff48b628..59543188f 100644 --- a/bbs/qaview.php +++ b/bbs/qaview.php @@ -10,6 +10,9 @@ if($is_guest) $qaconfig = get_qa_config(); $content = ''; +$token = _token(); +set_session('ss_qa_delete_token', $token); + $g5['title'] = $qaconfig['qa_title']; include_once('./qahead.php'); @@ -110,9 +113,9 @@ if(is_file($skin_file)) { $update_href = G5_BBS_URL.'/qawrite.php?w=u&qa_id='.$view['qa_id'].$qstr; } */ + if(($view['qa_type'] && $is_admin) || (!$view['qa_type'] && $view['qa_status'] == 0)) { $update_href = G5_BBS_URL.'/qawrite.php?w=u&qa_id='.$view['qa_id'].$qstr; - set_session('ss_qa_delete_token', $token = uniqid(time())); $delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$view['qa_id'].'&token='.$token.$qstr; } @@ -129,7 +132,7 @@ if(is_file($skin_file)) { if($is_admin) { $answer_update_href = G5_BBS_URL.'/qawrite.php?w=u&qa_id='.$answer['qa_id'].$qstr; - $answer_delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$answer['qa_id'].$qstr; + $answer_delete_href = G5_BBS_URL.'/qadelete.php?qa_id='.$answer['qa_id'].'&token='.$token.$qstr; } } diff --git a/bbs/qawrite.php b/bbs/qawrite.php index 86d65d037..fb041e0ad 100644 --- a/bbs/qawrite.php +++ b/bbs/qawrite.php @@ -13,6 +13,8 @@ if($is_guest) alert('회원이시라면 로그인 후 이용해 보십시오.', './login.php?url='.urlencode(G5_BBS_URL.'/qalist.php')); $qaconfig = get_qa_config(); +$token = _token(); +set_session('ss_qa_write_token', $token); $g5['title'] = $qaconfig['qa_title']; include_once('./qahead.php'); diff --git a/bbs/qawrite_update.php b/bbs/qawrite_update.php index 9b4416cc7..7a74e6083 100644 --- a/bbs/qawrite_update.php +++ b/bbs/qawrite_update.php @@ -12,6 +12,15 @@ if($is_guest) $msg = array(); +$write_token = get_session('ss_qa_write_token'); +set_session('ss_qa_write_token', ''); + +$token = isset($_POST['token']) ? clean_xss_tags($_POST['token'], 1, 1) : ''; + +//모든 회원의 토큰을 검사합니다. +if (!($token && $write_token === $token)) + alert('토큰 에러로 삭제 불가합니다.'); + // 1:1문의 설정값 $qaconfig = get_qa_config(); $qa_id = isset($_POST['qa_id']) ? (int) $_POST['qa_id'] : 0; diff --git a/mobile/skin/qa/basic/list.skin.php b/mobile/skin/qa/basic/list.skin.php index 0bf98e366..7db40baf0 100644 --- a/mobile/skin/qa/basic/list.skin.php +++ b/mobile/skin/qa/basic/list.skin.php @@ -45,6 +45,7 @@ add_stylesheet('', 0); +
diff --git a/mobile/skin/qa/basic/write.skin.php b/mobile/skin/qa/basic/write.skin.php index e8c8c61b6..4d879f73e 100644 --- a/mobile/skin/qa/basic/write.skin.php +++ b/mobile/skin/qa/basic/write.skin.php @@ -13,6 +13,7 @@ add_stylesheet('', 0); + ', 0); } + $.ajax({ + type: "POST", + url: g5_bbs_url+"/ajax.write.token.php", + data: { 'token_case' : 'qa_write' }, + cache: false, + async: false, + dataType: "json", + success: function(data) { + if (typeof data.token !== "undefined") { + token = data.token; + + if(typeof f.token === "undefined") + $(f).prepend(''); + + $(f).find("input[name=token]").val(token); + } + } + }); + document.getElementById("btn_submit").disabled = "disabled"; return true; diff --git a/skin/qa/basic/list.skin.php b/skin/qa/basic/list.skin.php index d32852783..56df884ee 100644 --- a/skin/qa/basic/list.skin.php +++ b/skin/qa/basic/list.skin.php @@ -72,6 +72,7 @@ add_stylesheet('', 0); +
diff --git a/skin/qa/basic/write.skin.php b/skin/qa/basic/write.skin.php index d1feabb29..9f587c086 100644 --- a/skin/qa/basic/write.skin.php +++ b/skin/qa/basic/write.skin.php @@ -14,6 +14,7 @@ add_stylesheet('', 0); + ', 0); } + $.ajax({ + type: "POST", + url: g5_bbs_url+"/ajax.write.token.php", + data: { 'token_case' : 'qa_write' }, + cache: false, + async: false, + dataType: "json", + success: function(data) { + if (typeof data.token !== "undefined") { + token = data.token; + + if(typeof f.token === "undefined") + $(f).prepend(''); + + $(f).find("input[name=token]").val(token); + } + } + }); + document.getElementById("btn_submit").disabled = "disabled"; return true; diff --git a/theme/basic/mobile/skin/qa/basic/list.skin.php b/theme/basic/mobile/skin/qa/basic/list.skin.php index 0bf98e366..7db40baf0 100644 --- a/theme/basic/mobile/skin/qa/basic/list.skin.php +++ b/theme/basic/mobile/skin/qa/basic/list.skin.php @@ -45,6 +45,7 @@ add_stylesheet('', 0); +
diff --git a/theme/basic/mobile/skin/qa/basic/write.skin.php b/theme/basic/mobile/skin/qa/basic/write.skin.php index e8c8c61b6..4d879f73e 100644 --- a/theme/basic/mobile/skin/qa/basic/write.skin.php +++ b/theme/basic/mobile/skin/qa/basic/write.skin.php @@ -13,6 +13,7 @@ add_stylesheet('', 0); + ', 0); } + $.ajax({ + type: "POST", + url: g5_bbs_url+"/ajax.write.token.php", + data: { 'token_case' : 'qa_write' }, + cache: false, + async: false, + dataType: "json", + success: function(data) { + if (typeof data.token !== "undefined") { + token = data.token; + + if(typeof f.token === "undefined") + $(f).prepend(''); + + $(f).find("input[name=token]").val(token); + } + } + }); + document.getElementById("btn_submit").disabled = "disabled"; return true; diff --git a/theme/basic/skin/qa/basic/list.skin.php b/theme/basic/skin/qa/basic/list.skin.php index d32852783..56df884ee 100644 --- a/theme/basic/skin/qa/basic/list.skin.php +++ b/theme/basic/skin/qa/basic/list.skin.php @@ -72,6 +72,7 @@ add_stylesheet('', 0); +
diff --git a/theme/basic/skin/qa/basic/write.skin.php b/theme/basic/skin/qa/basic/write.skin.php index d1feabb29..9f587c086 100644 --- a/theme/basic/skin/qa/basic/write.skin.php +++ b/theme/basic/skin/qa/basic/write.skin.php @@ -14,6 +14,7 @@ add_stylesheet('', 0); + ', 0); } + $.ajax({ + type: "POST", + url: g5_bbs_url+"/ajax.write.token.php", + data: { 'token_case' : 'qa_write' }, + cache: false, + async: false, + dataType: "json", + success: function(data) { + if (typeof data.token !== "undefined") { + token = data.token; + + if(typeof f.token === "undefined") + $(f).prepend(''); + + $(f).find("input[name=token]").val(token); + } + } + }); + document.getElementById("btn_submit").disabled = "disabled"; return true;